The expiry for password reset links was recently changed (see #133), and part of the new behavior feels somewhat confusing. The link to reset a password can only be clicked once without generating an error, regardless of whether a user actually resets their password. Consider the following steps:
Request a password reset email
Open the email and click the password reset link
Don't take any action in the resulting BioPortal form for updating passwords
Click the password reset link again
The second click on the reset link results in a 401 Password reset not authorized with this token error. My expectation is that subsequent clicks on the link should be allowed, and that the link wouldn't be expired until the user actually resets their password, or the one-hour time limit to reset has been exceeded.
The expiry for password reset links was recently changed (see #133), and part of the new behavior feels somewhat confusing. The link to reset a password can only be clicked once without generating an error, regardless of whether a user actually resets their password. Consider the following steps:
The second click on the reset link results in a
401 Password reset not authorized with this tokenerror. My expectation is that subsequent clicks on the link should be allowed, and that the link wouldn't be expired until the user actually resets their password, or the one-hour time limit to reset has been exceeded.